I did a quick Google for the code again and it comes up with other sites that have been attacked by the same guys in the past ... none of which seem to have been hosted by Servage but it does look like they are the latest victim of the hackers.

My site was relatively easy to recover and I am lucky that our users were understanding and appreciated our quick response ... but I don't want to have to do it all over again.

I'm fairly sure that the hijack is nothing to do with an insecurity in WordPress because our site doesn't have any WordPress code and the hackers still gained access to edit any PHP script in the root folder. It also doesn't look like the hackers uploaded their own rootkit or administrator script either, because they shouldn't have been able to run it in any of the folders users can upload to and there are no traces of any spurious scripts. So ... I am waiting for a satisfactory explanation from Servage ;)

Due to the vast nature of the internet, we employ the same standard methods of safeguarding against malicious entry as all Web hosting companies. This is done through the standard username and passwords we assign to each of our clients. The complexity of the password chosen by the user determines the probability of hacking into a site. Our system will assign your username alphanumerically to assist you in securing your site, but we do encourage use of cryptic, alphanumeric passwords to lower the potential of unauthorized entry into your site. Please Check and confirm on your end. If you have made your passwords more secure then none should be able to hack into your account.

For a password to be strong, it should: * Be at least seven characters long. Because of the way passwords are encrypted, the most secure passwords are 6-12characters long. * Have at least one symbol character in the second through sixth positions. * Be significantly different from prior passwords. * Not contain your name or user name. * Not be a common word or name.

For maximum security please ensure your account password is secure (at least 6 mixed numbers and letters) and that it is changed regularly. Ensure that permissions for your folders are set to 755 and for files it is set as 644. Also check that no folders have insecure permissions such as 777.

But, as suggested by you, we will have this issue informed to our admins.

Hmm, yes if our passwords were insecure in the first place then I would believe that a hacker could have guessed them ... but they were quite secure. Also, I would like to know what measures Servage have in place to prevent brute-force attacks on the Control Panel login. Most network administrators will log repeated failed attempts on the authentication systems and then deny the user access for a period of time. The admins should also be aware of repeated attacks and take steps to block these as as a general measure to block hackers. I don't think it is good enough to just say that passwords must be secure because if a network allows many thousands of login attempts on the same account then any password can be cracked. I hope Servage have strong systems to protect the login process from brute-force attacks.

They do have a captcha on their Control Panel login, so I doubt brute force was the reason. MY FTP password on the other hand MIGHT have been used. If so, shouldn't servage be able to check their ftp login history at the time the files were modified (which I could easily give them)?.

As it was a very large number of PHP files that were modified, and all within seconds of each other, my hypothesis is that somehow someone managed to upload a script and execute it...

It's a good theory - the CAPTCHA should prevent brute force. The FTP system would seem to be more vulnerable to attack and would give the user access to upload scripts ... and perhaps they tidied it up afterwards too ... I will scan the system again, to make sure they didn't leave anything.

Ragnor: Sounds like their shared hosting servers are compromised at a higher level than your individual accounts.

I agree, it seems like an unbelievable coincidence that in one night a group of websites all hosted on the same company were hit ... and no other forums reporting similar attacks, as yet. Is there any way to prove that it must be the host's problem though? To the best of my knowledge Servage use their own software to manage their server clusters, which would suggest that it is less likely that the hackers used a known weakness with popular software ... but it might have made Servage's systems a tempting target for someone wanting a challenge.

Hello, Today my site (hosted at Servage) has been attacked. I have found this threat looking for an answer.I have received exactly the same answer from Servage as GeoffisPure .... funny

I am absolutelly sure that my password was not stolen (i had a quite complex one). Servage is clearly not providing the apropriate support and the security of their servers is clearly compromised. I am seriously thinking about changing to a more reliable host in case they don't give a satisfactory answer.

My wordpress installations at 'servage.net' was also changed yesterday (11. may 2011). Same as other comments the top of some php files now contains the string >>...$somecrainsignvar="f6lkhukr"; echo base64_decode(str_rot13...<<

Fortunatedly the hack made 2 of 3 wordpress installations break down, so that I noticed the break in.

I had an update from Customer Support to say that the Servage admins are still working on the issue. They have tracked the point of entry to the FTP system and have advised me to change all FTP passwords and make them highly complex. I'm pretty sure that the FTP password was already complex enough but I am at least pleased to see that they are taking this very seriously and are still working on it. Anyone else who has been hacked should report it to Servage and refer the CS techs to this forum thread ;)

Initially they suspected a WordPress bug but our site has no WordPress code in it so that isn't the problem.

This problem has nothing to do with Wordpress. My site does not use wordpress at all.I have suffered teh problem for the second time today and while i was repairing the files the attacker was still working and destroying my files again. Of course I have reported the issue again to Servage. I think that the problem is with the FTP and I have changed my password, although I am pretty sure that noone could break my password using brutal force.

isol: This problem has nothing to do with Wordpress. My site does not use wordpress at all.

I have suffered teh problem for the second time today and while i was repairing the files the attacker was still working and destroying my files again. Of course I have reported the issue again to Servage. I think that the problem is with the FTP and I have changed my password, although I am pretty sure that noone could break my password using brutal force.

It would be interesting to know if you are all on the same server? Is it not a possibility the server as a whole has been compromised giving access to everyones accounts on there..